Life as a “Ledger” Wallet Data Breach Victim

I have had two Ledger Nano X* cryptocurrency wallets for a couple of years now. One of them died during a firmware update which they offered to replace but I didn’t print the label and send it in time. That’s on me and if that was the only problem I had I could have lived with it.

Unfortunately Ledger collects a lot of personal information about you such as your email address, phone number and even your home address! They failed to protect this information and got hacked and all of this data was exposed. Funds were not stolen because of the way hardware wallets work (your private key never leaves the device and is generated by the end user) but apparently everything else except the money was (all your personal data, how much you have, etc)!

I was a confirmed “victim” of this hack and I wanted to write this article to explain what (if anything) has happened since. Spoiler alert: plenty!

First Notice – July 29th 2020

The first notice I received was in July 2020 and didn’t sound too serious. They clearly didn’t realize the extent of what they were dealing with at the time. It sounded like mostly just email addresses (they only said a small subset had more information stolen).

I was already getting contacted at this point and I’m sure many others were as well which likely is what initially prompted them to send out this notice. Here is the first notice I received:

Ledger Security Notice #1 - July 29th 2020
Ledger Security Notice #1 – July 29th 2020

By now I had already started receiving phone calls/texts/emails but we’ll get into that more later.

Second Notice – December 21st 2020

Almost a full 6 months later I received a second notice that was a lot more serious. Here it is:

Ledger Security Notice #2 - December 21st 2020
Ledger Security Notice #2 – December 21st 2020

Now that is a lot more specific! They’re getting warmer. They now know that my name and surname and my postal address was exposed.

Initially when I received this I thought they’re still not quite there yet. My phone number was most certainly also leaked but that didn’t seem to be in their list. Very curious!

Third Notice – December 23rd 2020

Only a couple of days later I received a third notice. This one did have my phone number included but this one is a different hack altogether. This one is the “Shopify” hack which happens to be Ledger’s e-commerce vendor.

Here is the third notice:

Ledger Security Notice #3 - December 23rd 2020
Ledger Security Notice #3 – December 23rd 2020

The notice states that this hack was reported to Shopify in September of 2020 which was months after I received my notice for the first hack. They got their information stolen/hacked again in a separate incident with their e-commerce vendor.

This means there are now multiple copies of all my personal information like phone number and address, cryptocurrency balances at the time, email, etc. floating around in multiple separate hacking incidents and data dumps. This is a device that is supposed to help you protect your cryptocurrency and keep it safe. What a mess!

Spam Emails

The spam emails have only continued to increase over time. This is probably because my leaked information is on lists being sold/passed around to various spammers. They are *very* targeted toward cryptocurrency.

Gone are the days where my spam folder is filled with people trying to sell me Viagra (there is still one in there keen readers may spot). It now looks like this:

Gmail Spam Email Folder
Gmail Spam Folder after Ledger data leak

I even have a message from elon @ give-away tesla.com with a 5000 BTC giveaway, wow! This has and continues to be a pretty dramatic change from what it looked for before the leak when nobody knew this email address was tied to cryptocurrency.

Spam Text/Voicemails

Fortunately these have decreased in frequency over time. Early on when the leaks were still fresh and even before we were notified of the breach I was getting multiple of these per day. It has been a couple of months since I got a cryptocurrency related spam voicemail. The texts don’t seem to be coming through as frequently lately either.

I should note though that I have a Google Pixel phone running the latest Android and they have been improving their SMS/voicemail spam detection. It’s possible these attempts haven’t decreased at all but rather that Google’s spam filter is getting much better at catching them now that these attacks have been going on for a while.

Final Thoughts

I’m very disappointed that Ledger has somehow managed to leak my most personal data such as cell phone number, cryptocurrency balances, email address, home address, etc. multiple times across several different hacks. The spookiest part of it has been how targeted some of these email/SMS messages are. They know exactly which cryptocurrencies I have so they will specifically target Ethereum, Litecoin and some of the others that I was holding a balance on during these leaks.

Buying from Ledger directly (where they ship it to you from France) is supposed to be the safest way to buy it since there have been some instances of devices being tampered with on third party retailers. My initial data leak was directly because I bought it from them instead of Amazon. There have been several more though so now it’s difficult to tell if it would have made any difference across these multiple leaks. I have had a Trezor One* for much longer than both of my Ledger devices and none of that data has ever been leaked.

I use my Ledger every single day. I am using it to stake multiple cryptocurrencies during my journey to learn about and discover staking (stay tuned for some articles on this) and use it to sign my staking transactions. The device is pretty nice to use and supports by far the most cryptocurrencies out there. It has kept my cryptocurrency safe. I wish I could say the same about my personal data.

I really strongly encourage Ledger to permanently get rid of and scrub all these programs to gather data on your customers. Why do you need to keep this sales and marketing list that got initially hacked? Why does Shopify have a database of all this info waiting to be stolen? These appear to be the vendors that you yourselves selected and entered into agreements with. It can’t be worth whatever they paid you to be able to gather/collect this information, and if you didn’t know they were doing it then I sincerely hope you have completely redone those agreements by now to make sure they aren’t collecting a big database of this information.

Have any of you out there reading this been negatively impacted by these data leaks? I’m curious what your stories are!

Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments